[SOLVED] Trouble verifying database password

[catelee2u]

Thankyou to everyone who responded to my last post (I can't find the posting, it has been buried).

 

I am currently making a login form and the associated php code. It all seems to work apart from the part below. I am constantly being told in the output error 'The password you entered is not correct' . When I register a user, my registration code adds the password to the database in an md5 encrypted state. I think it has something to do with that and have tried looking up md5 encryption but still don't understand why I am not able to verify my password entered on the login page with the one registered in the database.

 

//Verify password entered matches stored password md5?

$loginname = mysql_real_escape_string($_POST['loginname']);

$pwd = md5($_POST['loginpwd']);

$verify = mysql_query("SELECT loginpwd FROM members WHERE loginname = '$loginname' ");

if ($verify != $pwd)

{die('The password you entered is not correct');}

 

Thanks in advance.

[svgmx5]

You have to verify the password and username in the databse at the same time. You can try this instead

 

$verify = mysql_query("SELECT * FROM members WHERE loginname = " '.$loginname. ' " AND loginpwd = " '.$pwd.' " ");

 

Try that see if it works

[seanlim]

It does not work because $verify is a reference to the mysql query, and not the results of the query.

 

To use your method, add another line below the query

 

$row = mysql_fetch_array($verify);

 

and change your condition to

 

if($row['loginpwd']==$pwd)

 

However, it might be slightly more efficient to use svgmx5's method of comparing both the username and password in mysql.

[svgmx5]

what you can do that i've found worked best for me is the following:

 

$loginname = mysql_real_escape_string($_POST['loginname']);
$pwd = md5($_POST['loginpwd']);

$sql = "SELECT * FROM members WHERE loginname = " '.$loginname. ' " AND loginpwd = " '.$pwd.' " ";
$run = mysql_query($sql) or die(mysql_error());
$fetch = mysql_fetch_assoc($run);

//fetch the username and id from the databse						
$duser = $fetch['loginname'];
$dpass = $fetch['loginpwd'];
$id = $fetch['memberid'];
//check to see that the username and password that was posted matches the username and password from the database
if($loginname==$duser && $pwd==$dpass){
        
        //start the session 'member' and match the memberid with the id from the database
$_SESSION['member'] = TRUE;
$_SESSION['memberid'] = $id;
//if succesfull then just send them to the location
echo "<script type='text/javascript'> window.location='index.php' </script>";
}
//otherwise show an error
else{//show an error and that username and password was not valid

 

I've tested this code and it does work. Not sure anymore about the 'or die()' function ever since i read Daniel0 blog about it. but other than that it works

 

Hope this helps

[catelee2u]

Hi

Thankyou both so much for your replies. I have read and understood both. I managed to get it working eventually. The code wasn't the only issue. Once I fiddled with code and it still wasn't working (I was at the ripping out of hair stage) I went to looking back at the md5.

 

I had set the database to only accept 10 characters for the password and so it wasn't storing the full md5 of the password so when it checked the entered password md5 (which was the full md5) against the stored password (first 10 chars of the md5)  they didn't match. D'oh ;-)

 

Thanks again,

Catherine.

[svgmx5]

ahh, well it happens. Usually i set it to 50, just to be safe.

 

Anyway, any more q's just ask